System and method for controlling inter-application association through contextual policy control

ABSTRACT

A method for controlling the interoperation of a plurality of software applications and resources includes intercepting communications from a first application to a second application or resource, directing the communication to a context management system, generating a candidate list of contexts for the communication, evaluating the candidate list according to at least one policy defined for these contexts to identify the resultant action and namespace for the communication, and performing the action as defined by the policies within the identified namespace. The method further includes tracking one or more versions of the second application, as well as tracking an evolution of application and/or resource names. The method further includes identifying one or more operations associated with a context on the candidate list, and executing the identified operations prior to a further communication.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/154,323, filed Jun. 6, 2011, which is a divisional of U.S. patentapplication Ser. No. 11/191,595, filed Jul. 28, 2005, which claimspriority to provisional application Ser. No. 60/598,234, filed on Aug.3, 2004, the contents of which are incorporated by reference herein intheir entirety.

TECHNICAL FIELD

The present invention relates to computer software, and moreparticularly to operating system software.

BACKGROUND

In many environments, but particularly in environments where anapplication is delivered via a network, the most important feature is anability to run applications on the fly, without a complex installation.Typically, in certain prior art systems, great pains were taken tomodify a client system to appear as if a program was installed, or toactually install the software itself, and then back out thesemodifications to restore the original configuration. In doing this,multiple problems present themselves: conflicts between an applicationand the computer's current configuration, multiple instances of the sameor different applications, complexity of the back out process requiresan application to be put through a rigorous process to ensure all of itsmodifications can be accounted for, and the use of shared files andsystem components by multiple applications complicates back out and theinstallation process.

Within many application execution environments, it is desirable tosegregate applications to prevent systemic failures due to sociabilityand versioning problems. Segregation, however, could prevent theseprograms from interoperating unless configured to do so. This problem isparticularly acute in “virtual installation” environments, wherebysoftware applications are executed within an operating system, but arenot in fact installed in that operating system (OS), or in some casesare installed and removed on the fly.

SUMMARY

The embodiments in accordance with the invention are directed tofacilitating inter-application communication and association in thepresence of an environment that was either not designed to do so, orthrough default behavior, requires additional system configuration. Theembodiments retain the original premise of the system, providing runtimesegregation of applications, but allowing interoperability under strictadministration and operating policies.

In accordance with one aspect of the invention, a method for controllingthe interoperation of a plurality of software applications and resourcesincludes intercepting communications from a first application to asecond application or resource, directing the communication to a contextmanagement system, generating a candidate list of contexts for thecommunication, evaluating the candidate list according to at least onepolicy defined for these contexts to identify the resultant action andnamespace for the communication, and performing the action as defined bythe policies within the identified namespace. The method furtherincludes tracking one or more versions of the second application, aswell as tracking an evolution of application and/or resource names. Themethod further includes identifying one or more operations associatedwith a context on the candidate list, and executing the identifiedoperations prior to a further communication. The candidate list isgenerated from one or more distributed contexts. These communicationsinclude at least one of inter-process communications, operating systemcalls, API calls or library calls. The context includes at least one ofa global context, managed context, local system context, system virtualcontext, vendor context, user context, session context, shared context,or isolated context. The policy includes at least one of a matchmnemonic for identifying when the policy applies, a plurality of requestcorrelation parameters and rules for applying the policy.

In accordance with another aspect of the invention, a method fordefining alternate namespaces for applications to be executed withinother applications or resources, includes intercepting calls for aresource of a common name, identifying a target namespace for the call,translating the common name into a local name usable by applicationswithin that namespace, and providing access to the resource identifiedby that local name. The method further includes tracking one or moreversions of applications, as well as tracking an evolution ofapplication or resource names. The local name can also be translatedinto an absolute name such that access to the resource identified by thelocal name can be facilitated to a resource identified by a differentlocal name in an alternate namespace. The step of identifying the targetnamespace includes one or more distributed queries, wherein at least onequery for the target namespace may be performed to a management systemwhich tracks namespace common to one or more systems.

In accordance with another aspect of the invention, a system forcontrolling the interoperation of a plurality of software applicationsand resources, includes a context management system to generate acandidate list of contexts for a communication, a policy engine toevaluate the candidate list according to at least one policy defined forthe contexts and the policy engine further identifying the resultantaction and namespace for the communication, and a virtual environmentmanager to direct the communication from a first application to a secondapplication or resource to the context management system, the virtualenvironment manager receiving instructions indicative of the resultantaction as defined by the at least one policy within the identifiednamespace.

The present invention provides a system for creating an applicationsoftware environment without changing an operating system of a clientcomputer, the system comprising an operating system abstraction andprotection layer, wherein said abstraction and protection layer isinterposed between a running software application and said operatingsystem, whereby a virtual environment in which an application may run isprovided and application level interactions are substantially removed.Preferably, any changes directly to the operating system are selectivelymade within the context of the running application and the abstractionand protection layer dynamically changes the virtual environmentaccording to administrative settings. Additionally, in certainembodiments, the system continually monitors the use of shared systemresources and acts as a service to apply and remove changes to systemcomponents.

Thus, for example, in embodiments within Windows-based operatingsystems, and wherein all operations to the Windows Registry are throughthe Win32 API, the system preferably provides a means for hookingfunctions, whereby each time said functions are invoked another functionor application intercepts the call, and the system most preferably hookseach appropriate API function to service a request whether made by anapplication run from a server or if made by an application against aconfiguration key being actively managed.

The foregoing and other features and advantages of the invention will beapparent from the following more particular description of embodimentsof the invention, as illustrated in the accompanying drawings in whichlike reference characters refer to the same parts throughout thedifferent views.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram schematic showing the relative relationship ofthe present invention, an operating system and a software application;

FIG. 2 is a block diagram schematic showing two applications runningwith private contexts and services;

FIG. 3 is a block diagram schematic showing two applications runningwhile the operating system provides shared views of the systemresources;

FIG. 4 is a block diagram schematic showing an operating system guardand subsystems;

FIG. 5 illustrates an exemplary host operating system including multiplesystems having one or more computing devices in accordance with anembodiment of the present invention wherein the view of the entiresystem corresponds to a global context;

FIGS. 6 and 7 illustrate different contexts in accordance with anembodiment in an exemplary system illustrated with respect to FIG. 5such as global, managed, local system, system virtual, vendor, user,session, shared and isolated;

FIG. 8 illustrates a block diagram of two applications utilizing theresources of each other and the operating system and the three differentconfiguration files for the resources in accordance with an embodimentof the present invention;

FIG. 9 illustrates a block diagram of a software core used to determinerelevant contexts and available scopes in accordance with an embodimentof the present invention;

FIG. 10 illustrates a process tree used by a process manager inaccordance with an embodiment of the present invention;

FIG. 11 illustrates a diagram of the context manager which includes atable of the available contexts of a system, as well as the associationsbetween contexts in accordance with an embodiment of the presentinvention; and

FIG. 12 illustrates a diagram of a resource being attached to a resourcetree of another program in accordance with an embodiment of the presentinvention.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

Referring now to FIG. 1, there is illustrated a block diagram schematicshowing the relative relationship of the present invention, an operatingsystem and a software application. Preferred embodiments of the presentinvention provide an operating system abstraction and protection layer100 denominated an “Operating System Guard.” Internally, many operatingsystems 10 provide fault domains to protect applications 50 fromaffecting each other when run. However, shared system resources and manyother operating system features allow this protection domain to becompromised. An operating system abstraction and protection layer 100will provide an additional, programmatically controlled barrier betweenapplications 50 to remove most application level interactions. Disposedbetween the application 50 and operating system 10 the operating systemabstraction and protection layer 100 selectively allows changes directlyto the operating system 10, versus containing the change within thecontext of the running application. For one example, in Windows-basedsystems, all operations to the Windows Registry are typically donethrough the Win32 APL. As explained below, system functions likeQueryRegEx and GetProfileString can be hooked so that each time they areinvoked, another function or application intercepts the call. TheOperating System Guard 100 of the present invention will hook eachappropriate API function to service the request, if made by anapplication being actively managed or if made by an application againsta configuration item being actively managed. In this way, unlessexplicitly configured to do so, the embodiments of the present inventioncan create the application environment without making any actual changesto the end-user's system. Also, any modifications made at run-time bythe application can be persisted or removed easily.

As used herein the term “Operating System Guard” defines a layer betweena running application and the operating system of a target computer orclient computer that provides a virtual environment in which anapplication may run. This virtual environment has several purposes.First, it prevents a running application from making changes to theclient computer. If an application attempts to change underlyingoperating system settings of a client computer, such settings areprotected and only “made” in the virtual environment. For example, if anapplication attempts to change the version of a shared object likeMSVCRT.DLL, this change is localized to the application and the coderesident on the client computer is left untouched.

Second, an embodiment of the invention presents an environment to arunning application that appears to be an installation environmentwithout performing an installation, and is thus a “pseudo installation”or installation-like.” All of the settings are brought into a virtualenvironment at the time the application being served runs, orjust-in-time when the application needs the particular setting. Forexample, if a computer program such as Adobe Photoshop® expects to see aset of Windows Registry entries under HKEY_LOCAL_MACHINE\Software\Adobeand they are not there on the client computer since Photoshop was neverinstalled, a system made in accordance with this aspect of the presentinvention will “show” those registry entries to the Photoshopprogramming code exactly as if they were resident on the clientcomputer.

Next, an embodiment of the invention prevents information that may existon the client/users machine from interfering with or modifying thebehavior of an application. For example, if the user has alreadyexisting registry entries under:

-   -   HKEY_LOCAL_MACHINE\Software\Adobe

for an older version of Photoshop, but now wishes to operate a newerversion, these entries can be hidden from the new application to preventconflicts.

Finally, an embodiment of the present invention unlocks applicationbehavior that may not exist as the application is currently written. Itdoes this through the ability to dynamically change the virtualenvironment according to administrative settings. For example, in atypical instance of an enterprise software application, a clientapplication may expect to read a setting for the address of the databaseto which the user should connect from a setting in the registry. Becausethis registry key is often stored in HKEY_LOCAL_MACHINE, the setting isglobal for the entire client computer. A user can only connect to onedatabase without reinstalling the client, or knowing how to modify thisregistry key, and doing so each time they wish to run the application.However, by implementing the present invention, two instances of theapplication may now run on the same client computer, each connecting toa different database.

Contexts

In providing this functionality, each application is able to run in aprivate context within the system. To the application, it has its ownprivate view of what the system looks like and its behavior. Theembodiments of the present invention provide this by its inherentnature. Referring to FIG. 2, two separate applications 52, 54, or twoinstances of the same application (50 illustrated in FIG. 1), can beprovided private contexts in which they will appear to have separate ordiffering copies of system services, configuration and data. In thepreferred embodiment, this is the default behavior of the system.

By extending this concept, the Operating System Guard 100 of anembodiment of the present invention can also provide shared, controlledcontexts in which two or more applications 52, 54 can share some or allof their virtual settings. This is important for application suites suchas Microsoft Office, or for applications that perform differently in thepresence of other applications. For example, many applications useMicrosoft Word as an engine for doing Mail Merge or document creationfunctionality. The application must know about the installation orpresence of Word and be able to tap into its functions. In the preferredembodiment, two instances of the same application will share a singlecontext by default, while two separate applications will maintainprivate contexts. Referring to FIG. 3, the two applications 52, 54 canrun while the Operating System Guard 100 provides a shared view of theavailable system resources.

Design

As illustrated in FIG. 4, the Operating System Guard is comprised of thefollowing subsystems: core 102, configuration manager 104, file manager106, shared object manager 108, device manager 110, font manager 112,process manager 120, process environment manager 114, loader 116, andrecovery manager 118. With the exception of the core 102, the processmanager 120, and the loader 116, all other subsystems are elements ofthe Virtualization System described in further detail hereinafter. Thecore 102 is primarily responsible for managing applications and theircontext as defined by the configuration files.

The process manager 120 provided by the Operating System Guard allowsthe core 102 to be informed of any process or thread event that may beof interest. It also provides an abstraction layer to the operatingsystem-dependent implementations for managing a process space andhandling thread processing. Processes may be grouped together intoapplication bundles. An application bundle is a group of processes whichall share their virtual resources with each other. For example,Microsoft Word and Microsoft Excel may want to share the virtualregistry and virtual file system to be able to work together as anapplication suite. The process manager 120 calls these applicationbundles “applications”. The information about an application existsuntil the process manager 120 is told to release the application. Ifanother process needs to be loaded into the application bundle, it maydo so as long as the application has not been released.

The loader subsystem 116 of an embodiment of the present invention isused to allow virtual environments to be transferred into and out of therunning system. Each of the Virtualization Subsystems is capable ofserializing its configuration for the loader 116, and retrieving itthrough the reverse process. In addition, the loader 116 is capable ofstaged loading/unloading and combining the results of individual stagesinto one single environment description.

Registry and Configuration

Applications require varying amounts of configuration information tooperate properly. Anywhere from zero to thousands of configurationrecords exist for which an application can read its configuration. OnWindows, there are two common places for configuration information, theWindows Registry and system level initialization files win.ini andsystem.ini. In addition, the \WINDOWS\SYSTEM directory is a common placefor applications to write application specific configuration orinitialization files. Applications will also use configuration or datafiles in their local application directories to store additionalconfiguration information. Often this information is difficult to dealwith, as it is in a proprietary format. On platforms other than Windows,there is no equivalent of the Registry, but common directories exist forconfiguration information. X Windows has an app-defaults directory.Macintosh has the System Folder, and other operating systems will havecorresponding elements. It is important to note that on most UNIXsystems, each individual application 52, 54 will most often store itsown configuration 62, 64 locally, as seen in FIG. 2.

An embodiment of the present invention includes a virtual WindowsRegistry component, which provides a full function registry to anapplication, but prevents modification to the underlying systemregistry. All keys that an application expects to access will bepresent, but may only exist in the virtual registry. In this way, theOperating System Guard 100 of the present invention and the WindowsRegistry form a two-stage process for accessing the registry. If anapplication needs access to a key, it will query the Registry. TheOperating System Guard will respond with the key and its value if itknows it. Otherwise, it will allow the request to pass through to theWindows Registry. If an attempt is made to modify the value, theOperating System Guard will allow the modification to occur to itselfonly. The next time the application accesses the key, it will be presentin the Operating System Guard and the request will not flow through tothe real Registry, leaving it untouched.

The keys that the Operating System Guard uses are specified in threeseparate sections. These Operating System Guard keys are specified ascommands in these sections to modify an existing key, delete thepresence of a key, or add a new key to the registry. In this way, thevirtual registry can appear exactly as the system intends. This isimportant as the presence or absence of a key can be as important as theactual value of the key.

In an embodiment, the Operating System Guard first loads a data filethat contains basic registry entries for the application. Then a seconddata file is loaded that contains the user's preferences. Finally, theOperating System Guard can optionally load a set of keys that includepolicy items that the user is not allowed to override. The three filesload on top of each other with duplicate items in each file overridingitems in the file before it. The first time a user runs an application,the second data file will not exist because there will be nouser-specific information, only application defaults. After eachsession, though, the Operating System Guard will save the user'schanges, generating that second data file for use in future sessions.

Configuration files can be modified in two ways. First, the file can beedited directly by an application. In this scenario, the OperatingSystem Guard File subsystem described hereinafter will address themodification made to the file. Second, in the preferred embodiment, anapplication can call the Windows API family of calls GetProfileString,WriteProfileString, or others to modify these files. In this case, theOperating System Guard of an embodiment of the present inventionperforms exactly as described above intercepting these calls andservicing them from within.

Shared Objects

Many components used by operating systems and running applications areshared across several applications or instances. In general, this is avery good idea. It saves disk space, not requiring many copies of thesame file. It also provides the ability for operating system vendors andthird parties to create and distribute libraries of commonly used code.On the Windows platform, Dynamic Link Libraries, DLLs, are often sharedwithin and across applications. On other platforms, the problem is thesame. On the Macintosh, INITs and other system components are loaded forapplications. These components can have many versions, of which only oneis used at a time. On UNIX systems, dynamic shared objects, e.g., “.so”library files, are used by applications to speed load time, save diskspace, and for other reasons. Many programs use the default “libc. so.”However, this library file is typically a symbolic link to some versionof itself such as libc.so.3. In practice, this feature has createdhavoc. These shared components have often gone through revision, withmany versions of the same component available to be installed.Application authors have found their software to work with potentiallyonly one or some of the versions of the shared component. Thus, inpractice, applications typically install the version they desire,overwriting other present versions. This potentially causes defaults inother applications running on a system.

On Windows 98, Windows 2000, Microsoft has created the Windows ProtectedFile System (WPFS) to allow system administrators to create a filecalled XXXX.LOCAL in the base directory of an application, where XXXX isthe executable file name without the extension. This causes the WindowsLoader to alter its method of resolving path references duringLoadLibrary executions. This, however, is not sufficient to completelysolve the problem. First, setting up the XXXX file is left to theknowledge of the system administrator, which varies widely. Second, acomponent version must undergo a rewind back to the original, theninstall this component in the local directory, and then create the“.LOCAL” file. This is not a straightforward process for any but themost basic components placed in WINDOWS\SYSTEM. Also, this solution doesnot cover all of the needed functionality. During LoadLibrary, Windowsuses different path resolution semantics depending on whether thecomponent was resolved as a result of an explicit or implicitLoadLibrary, and also whether a Registry Key exists indicating that itis a named, or well-known, DLL. In this case, the LoadLibrary call willalways resolve to the WINDOWS\ SYSTEM directory.

DLLs and other shared components also retain reference count semanticsto ensure that a component is not touched unless no running applicationsrefer to it. In practice, only applications from the operating systemvendor and the operating system itself have done a good job of obeyingthis protocol.

As a general rule, it is desired to have a shared object always resolveto the correct component. To provide this functionality it is requiredto understand the version of a component, or range of versions, that anapplication is able to function with. Then, when the application is tobe run, the present invention should ensure that the component isresolved correctly. It is acceptable, in the present invention, toautomate the use of WPFS or other operating system provided capability,if desired. In this case, it is necessary to detect needed componentsand place them in the local file system. This is more complex than justwatching installation, as an installation program will often not installa component if the required one is already there.

It is desired to identify a method to ensure that named objects are alsoloaded correctly. On the Windows platform, MSVCRT.DLL is a significantculprit within this problem area. If multiple versions of this objectare maintained, the aforementioned Registry key can be dynamicallychanged, allowing the LoadLibrary function to resolve the correctcomponent version. Another reasonable method of ensuring correctcomponent loading is the dynamic editing of a process environment to usea valid search path. This search path will ensure that a local componentis resolved before a system wide component. Another possible method forresolution of the correct shared object is through the use of symboliclinks. A symbolic link can be made for a shared component, which isresolved at run-time by the computer's file system to the neededcomponent. Finally, the actual open/read/close requests for informationfrom a shared object's file can be intercepted by the present inventionand responded to dynamically for the correct version of the file whichmay exist on the local system or within the invention's subsystems.

Several special forms exist. On the Windows platform, OLE, ODBC, MDAC, .. . as well as a number of other vendor specific components, are writtento be shared globally among several or all running processes. In thecase of OLE, going as far as sharing data and memory space betweenseparate processes. OLE prevents more than one copy of itself running ata time, as do many of these components. OLE also has many bugs andfeatures requiring a specific version to be loaded for a specificapplication. In the present invention, an application is able to loadwhatever version of OLE is required, still enabling the shared semanticswith other components using the same version of OLE.

In general, unless specifically configured as such, shared objectsshould be loaded privately to ensure conflict prevention. Nothing aboutthe method used to allow a component to be loaded privately shouldprevent it from being unloaded cleanly or correctly loading for anothersoftware application, whether being actively managed by the OperatingSystem Guard or not. In addition, if the system crashes it is requiredto recover from this crash to a clean state, not having overwritten ormodified the underlying operating system.

Files

Many applications use data files within the application to storeconfiguration entries or other application data. The embodiments of thepresent invention provide a virtual file system much like the virtualregistry described herein before. Before the application starts, anembodiment of the present invention can load a list of file systemchanges, including files to hide and files to add to the virtualenvironment or files to redirect to another within the virtualenvironment. Whenever the application accesses or modifies any files,the Operating System Guard checks if the file must be redirected, and ifso, in the preferred embodiment redirects the request to a locationspecified in the Operating System Guard configuration.

If an application tries to create a new file or open an existing filefor writing on a user's local drive, the Operating System Guard mustensure that the file is actually created or modified in the redirectedlocation. If the application is reloaded at a later time, this filemapping must be reloaded into the Operating System Guard virtualenvironment. When the request is to modify an existing file, whichresides on a user's local drive, the Operating System Guard must copythe file in question to the redirection point before continuing with therequest. The redirected files may not be of the same name as theoriginal file to ensure safe mapping of file paths. In an embodiment,INI files are handled in this way to offer maximum system security whileallowing maximum application compatibility.

An embodiment of the present invention is particularly useful forapplications delivered over a network. In such implementations it isimportant to understand that software applications are made of severalkinds of data, where the bulk of the files a software application usesare most preferably mounted on a separate logical drive. Configuration,including both file based and registry based, can be user specific andsystem wide. The application delivery system used should mark each filefor which of these types any file is. This information provides hints tothe Operating System Guard system to act on appropriately.

Device Drivers

Many applications use device drivers or other operating system levelsoftware to implement some of its functions such as hardware support orlow level interactions directly with the operating system. In anembodiment of the present invention, the Operating System Guard providesthe capability of dynamically, and as possible privately, adding andremoving these components to an application's virtual environment.

Many device drivers are built to be dynamically loadable. If at allpossible, it is the preferred embodiment to load all device driversdynamically. If a device driver requires static load at boot time, theuser must be presented with this knowledge before running theapplication. Once the system has rebooted, the application shouldcontinue from where it left off. However, a large percentage of devicedrivers are not dynamically unloadable. Although it is preferred todynamically unload the driver, if this cannot be accomplished the driverwill be marked for removal on the next reboot, and the user should bemade aware of this. If the application is run a second time before thenext reboot, the system should remain aware of the presence of thedriver and not attempt a second installation, waiting for termination toremark the component removable at next reboot.

It is important to characterize the base similarities and differences,as they exist for each device driver class, to ensure the embodiments ofthe present invention can correctly function. It is not desirable toload and unload device drivers for system hardware that is constantlypresent. It should be understood that although this is not a preferredembodiment in terms of programming ease, it is within the scope of thepresent invention and may be required for specific reasons, such as therestriction in licensing agreements for applications that are deliveredand run using the embodiments of the present invention.

On non-Microsoft platforms, device drivers are typically handled verydifferently. Macintosh systems support both static and dynamic drivers,but they are all installed and removed through the same method. Linkingwith the Macintosh system folder will provide the necessary support. ForUNIX systems, device drivers most typically require a modification tothe running UNIX kernel, followed by a reboot. This process can be verycomplex. In an embodiment, this process is automated; includingresetting the kernel once the application is complete. The generalparameters of the process are the same as that described above forWindows applications, the actual process steps of compilation andpersons familiar with such operating systems can carry out reboot.

Finally, those of skill in the art will understand that it is desirableto be able to recover and remove drivers across system failures.Whatever data or processes necessary to retain system integrity aretherefore included in an embodiment of the present invention. Those ofskill in the art will also appreciate that all types of device driversmight not be conveniently or efficiently provided via the embodiments ofthe present invention, most particularly those associated with permanenthardware attached devices.

Other Items

In the embodiments of the present invention, it is recognized that thereare several components, the behavior or presence of which is differenton alternate operating systems. These components include fonts,processes, environment variables, and others.

Some applications require fonts to be installed in order to performcorrectly. Any fonts required will be specified in the Operating SystemGuard's configuration file. The Operating System Guard will enable thesefonts prior to running the application and if necessary remove themafterwards. Most systems have a common area for storage of fonts inaddition to a process for registering them or making the system aware oftheir presence, the Operating System Guard will utilize these availablemethods.

On Windows, a font is copied to the \WINDOWS\FONTS directory. Thishowever does not guarantee that the font is available to the runningprogram. In the preferred embodiment, if the program uses the WindowsAPI to access fonts, the font will need to be registered with a Win32API call such as CreateScalableFontResource/AddFontResource. This willinsert the font into the system font table. Once complete, the OperatingSystem Guard can remove the font with another appropriate API call likeRemoveFontResource, then remove the file from the system. As analternate embodiment, the Operating System Guard could hook the APIfunctions as described in the virtual registry method. In addition, theOperating System Guard can use its File subsystem to avoid placing theactual font file in the running system.

On Macintosh, the process is extremely similar and based on files in theMacintosh system folder and registration activation. On UNIX, however,the process is dependent upon the application. Most typically, fontresources are added to the system as regular files resolved in theproper location, so they can be accessed by name. With many Motifsystems, a font description needs to be placed into a font resourcefile, which will allow the font to be resolved. The Motif or Xapplication can invoke the font either through the resolution subsystemor by a direct call. Recently, many Motif and CDE based systems utilizeAdobe scalable postscript fonts. These fonts need to managed through theAdobe type management system. There are exceptions, however, and asstated above, there are alternates to the Windows or other operatingsystem default font management systems. The Adobe Type Manager providessome alternate interfaces for this process, as do other third party typemanagement systems. In most cases it should be decided whether tosupport the interface or ignore it. The purpose of Operating SystemGuard is not to provide a universal layer for all these systems, only todo so for the operating system's own subsystem.

Many applications require environment variables to be set. This is mostcommon on UNIX systems, but is also heavily used by software, which wasoriginally written on UNIX and ported to the Windows operating systems.Applications on the Windows operating systems heavily rely on the DOSPATH environment variable and often set their own application specificentries. On the Windows 9x/Me environments, there are many environmentsettings, which are applicable as at its core is the DOS subsystem. Ifan application requires the presence of specific variables, or values tobe set in existing environment variables, the required environmentvariables will be specified in the Operating System Guard'sconfiguration file. The Operating System Guard will set these variablesfor the application's main process when it is launched. As applicationsdo not typically change environment settings as they operate, thevirtual environment will not trap these calls, nor will it provide thefull complement of functionality that the registry and configurationsubsystem does.

Recovery

In some cases shown in the previous sections, actual modifications mustbe made to the operating system. This is frequent with device driversand fonts. In addition, changes can be made to the virtual environmentthat need to be persisted and available the next time an application isrun. It is required that the Operating System Guard system be able torecover from changes to the system, removing the change from the systemat its earliest possible opportunity. Alternately, if the system crashesduring an application's execution, the Operating System Guard shouldtrack enough information to remove any change to the system if it isrebooted or otherwise, and should track the changes made to the virtualenvironment. In the preferred embodiment, this is implemented as atransaction log, but can in other embodiments be done as some othersimilar component, which can be read on system startup so that changescan be backed out.

Controlling Virtualization

An important aspect of the invention relates to control of the manyfacets of virtualization which the Operating System Guard is capable of.In the preferred embodiment there exists an instrumentation program ableto ascertain the correct aspects of a software system to control. Alsoincluded is a method to allow administrators and end users to view andmodify those items to be virtualized by the system.

In the automated program, the application to be controlled is observedin order to gauge the aspects of control. The automated program iscapable of performing this task during the installation process of theapplication, during run-time of the application, or a combination ofboth. In the preferred embodiment, the Operating System Guard isembedded in a wrapper application. Post installation, or after one ormany uses of the software, the wrapper application will query theOperating System Guard for a detailed list of all of its actions. Fromthis list of actions, the wrapper application will create theconfiguration files required to load and operate the Operating SystemGuard on subsequent uses.

If used as part of the installation process, the Operating System Guard,in an embodiment, will act as a virtual layer allowing the installationto be entered into its environment only. After the installation, all ofthe files, settings, et. al. can be dumped for reload later. In thisway, the installation will leave the original system intact and willhave automatically created the necessary configuration files. When usedduring use of the application, the Operating System Guard is able torecord either differential modifications to the environment, or recodifythe configuration files.

The Operating System Guard will pass its information to the wrapperapplication for post-processing. In the preferred embodiment, inaddition to the automatic entries that the system can create, thewrapper application is programmed with operating system specific andapplication or domain specific knowledge. This knowledge is used toalter the output of the process to reflect known uses of configurationitems or other entries. In the preferred embodiment, a rules-basedsystem is employed to compare observed behaviors with known scenarios inorder to effect changes to the coding.

The wrapper application is also used as a viewer and/or editor for theconfiguration output of the process. This editor, in the preferredembodiment, enables a system administrator to add, edit, or delete itemsor groups of items from the configuration. In observing theconfiguration through the editor, the administrator can also makereplicas of the configuration, changing specific items as needed toeffect application level or user custom changes.

Referring now to FIG. 1, an embodiment of the present invention isillustrated functionally. In this embodiment, two sets ofapplication/user data 60 are illustrated. The Operating System Guard 100keeps the two instances of the application 50 from interfering with oneanother. In addition, as explained above, the operating system guard 100serves as an abstraction layer and as such collects commands andcommunications between the application software 50 and the actualoperating system 10 of the client computer. As illustrated graphicallyby the arrows, certain commands are between the Operating System Guardand the software application, this is in distinction to typicalinstallations where these commands would instead be acted upon by theoperating system itself, resulting in changes to the client computerthat might not necessarily be what the operator intended. On the otherhand, other commands pass through the Operating System Guard and arethen transferred to the Operating System itself.

Many software applications are designed to operate in conjunction withone or more additional applications. This can be the case for softwaresuch as Microsoft Office, where a set of applications are packaged andsold as one single unit and are often created to work together. This isalso evidenced by many software applications which are designed to “plugin” to another application or communicate with it in some way.

While this is common functionality, many software distribution systemshave difficulty enabling these inter-relationships to functionadequately. This can be due to improper resolution of interdependencieseither during packaging of the applications, during integration of theapplication into an end-user environment, or at run-time.

There exist many forms of software distribution today including PackagedSoftware Distribution, Electronic Software Distribution (ESD), On-DemandSoftware Distribution, and several next-generation distribution systemssuch as the ClickOnce system from Microsoft. Each of these distributionsystems exhibit several basic patterns relating to how the software isdistributed, how it is installed and removed, and how the softwareinteracts with both the host operating environment and otherapplications.

Software Distribution

Though software is still available on physical media such as CD-ROM orfloppy disks, electronic means of distribution have become prevalent formost forms of software. There are many forms of ESD systems such asthose offered by vendors such as Microsoft, Marimba, Altiris and othersthat are designed for corporate use, and others such as those fromDigital River and others designed for Internet or public accessnetworks. ESD systems provide application software to end-users andcorporations in the form of installation packages that can be downloadedand installed in some fully or relatively automated fashion. In the useof this software, it has often caused installation problems such asconflicting dependencies or other misconfigurations.

Other software vendors have developed systems for distribution ofsoftware as it is used or “On Demand”. In these systems, applicationpackages are distributed on an as needed basis to the end-user systemsthat require use of the software. The software can then be installed andremoved on the fly from the target system, or in some cases “virtuallyinstalled” whereby the software executes on the end-user system as if itwere installed, when in reality it has not been installed. The virtualinstallation technology ensures the application runs as if it wereinstalled, but insulated the application from the operating environmentand other applications.

Several other technologies have been presented to the market, such asMicrosoft ClickOnce or Sun's Java Management Framework. In many of thesesystems, the problems of installing software are conceptually obviatedby preventing software installations from modifying their hostenvironments. This is done by requiring any compliant software to gatherall of its configuration from harmless, internal sources such asconfiguration files, and not using any system wide registry or otherapplication configuration entities. The software is also restricted fromrequiring setup within the host operating system or modifying its hostin any way.

In general, software can then be seen to be either installed in a targetoperating environment by modification of its host configuration, throughvirtual installation which simulates the modification but does notactually perform it, or through restriction of environment modificationby creation of self-contained software. In these systems, removal ofsoftware is tied to how it was installed. If normally installed, it mustbe backed out by a reversal procedure or uninstallation program. Theseprograms often fail and cause damage to the host environment. Forvirtual installation systems, the software was never installed, thusthere is no need for removal. For self-contained environments, removalis simplified by ensuring a simple uninstallation procedure that can bemade non-invasive as well.

The Integration Problem

In all of the described systems and any system for execution ofsoftware, the problem exists as to how to characterize and facilitatethe possible interaction of one or more software applications with itshost environment and/or one or more additional applications to beinstalled or run in the same environment. Many applications are eitherdesigned to work together, intercommunicate, or are designed to work bymodifying their host environment. There are many other modes ofinter-application association, those described herein are simply used asexamplar cases of the problem to be addressed, though the problem ispervasive to all or most known modes.

Applications that are designed to work with one another typically followone of several patterns. First, many applications are hosts for otherapplications to “plug in” to. An example of this is Adobe Photoshop orAutodesk AutoCAD which provide an ability for third party softwarevendors to create extensions to their primary application. In thepresence of this plug-in, the Photoshop user interface will appeardifferent to the end-user, containing the new functionality offered bythe plug-in. There is no requirement for end-user visible changes. It issimply one mode of operation of a common plug-in.

Alternatively, some programs can simulate the appearance of“plugging-in”, by exploiting undocumented interfaces of programs, orotherwise modifying its runtime behavior, though the original vendor didnot intend it. Several programs exist which provide wrappers aroundother software programs, such as embedding the program and its userinterface within another. When certain functions are chosen within thewrapper, the host can drive the other application to perform some work.This can also be a loose integration, such as through the creation of a“launcher” program which does not host the other software application,just merely starts it at the user's request.

Several applications use other applications to perform part of theirwork. Software such as PDA applications use contact managers such asMicrosoft Outlook as their data repository for synchronizing contactinformation. Outlook is not shipped as part of the PDA application, butthe software can communicate with it to perform its synchronizationtask. Many programs utilize Microsoft Word to perform Mail Mergefunctionality.

Programs can also communicate with one another through standard orproprietary means to perform work. This can be something such as anRemote Procedure Call (RPC) through COM/DCOM, MTS, CORBA, SOAP or othermeans. This can be a raw TCP/IP communication session, or even somethingsuch as an HTTP request. The primary issue at hand here is that theavailability of intercommunication can change the manner in which aprimary application behaves. As an example, a packet dumper orcommunications troubleshooting program will often be able to view andformat many different communications protocols. However, if you are notin an environment using CORBA, you would not need to configure thatprotocol. This configuration can be done by detecting whether its hostor nearby hosts are configured to use this protocol.

Programs can also loosely interoperate through sharing data files orcommon databases. This can be through simple file sharing or throughcompound document interfaces such as OLE or OpenDoc. In the compounddocument case, a particular compound document would rely on the presenceand integration of the software applications which can host the variouspieces of its internal document structure. In the case of databasesystems, the coupling is often very loose, but still requires someconfiguration to be present to cause the integration.

Finally, many programs can operate differently in the presence ofsimilar operating systems that are configured differently, or can havethe purpose of configuring a particular host operating environment orother software application. A simple example program would be TweakUI, aprogram used to change the configuration of the Microsoft Windowsdesktop environment and many other aspects of the operating system.

In all of the cases described above, software applications eitherpresume to be alone in their view of the world, or will purposefullyfunction differently in the presence of other applications or hostenvironments. This can present a problem for the software distributionsystems discussed. It is most often the case that not all of thepossible associations are known at distribution or installation time.Thus, the distribution system must provide a means to adapt to changes.

Once an application is configured for distribution, it must often bereconfigured if the environment changes. Additionally, duringconfiguration all of its associations must be known or it may not beconfigured properly. In the case of virtual installation environments,the default behavior is to purposefully disassociate any programconnections. Thus, a means must be provided to overcome this limitation.Or in the case of self-contained environments, a reasonable means ofassociation must be found that does not violate the container paradigm.

Visibility/Discoverability

In order for two applications to interoperate, they must be visible toone another at some point of time. This can either be through a means ofdiscovery at installation or run-time, or by some manifestation orinterface of one program being visible to the other at these times.

The problem of visibility can be fairly complex, as programs will oftenuse non-deterministic, or undocumented means to find one another.Presence can be determined, for example, by looking for the existence ofthe application to be integrated with. This can be done by searching forone or more of its executable components, searching for itsconfiguration within a common registry such as the Windows Registry,searching for a trace of the application within some common locationsuch as an execution shortcut or its configuration in the UNIX/var/optor/etc file system locations, searching for one or more of itsinterfaces at common locations, querying its host operating environmentfor its existence, or one of many alternate approaches.

For systems such as the virtual installation technology, discoverythrough these means of search can fail even though the program isconfigured to execute on the host in question. With the virtualinstallation technology, there is no trace of the program on the hostenvironment. The only knowledge of its availability exists at a serverconfigured to deliver the application to the host. Also, some virtualinstallation systems provide host integration to things like the desktopsystem, thus making only this one form of discovery viable, even thoughan application is not configured to do its discovery in this way. Avirtually installed software component is by default not visible toanything but the actual software itself. Thus, for discovery to be done,an alternate means must be provided to facilitate.

In the case of self-contained environments, the actual manifestation ofthe software components within the host environment can varysignificantly. The Microsoft ClickOnce technology, for example, canplace the executable components of the software application at alocation within the host environment that is hidden from the rest of thesystem or that can change over the course of its existence.

Discovery can also be done through a central or decentralized repositoryof software. Systems such as UDDI or JNDI provide a means of discoveryof software applications at an interface layer. The existence of arecord within UDDI implies the availability of the software at apredefined or dynamic endpoint. In virtual installation technologies,this endpoint can often only exist within the virtual installationenvironment such that a UDDI query within the environment would resolvean application's existence where it would not outside the environment.Or alternatively, the UDDI or JNDI query would resolve to a dynamicendpoint which is simply a proxy for the virtual application.

The problem of discovery is further compounded by changes at installtime and post-install time. If one application is installed on a machinethat can integrate with another, but the second application is notinstalled, it may not configure itself to interoperate. If the secondapplication is subsequently installed, it is often the case that thelogic for configuring interoperation is only done at install time of thefirst software application. Thus, the first application must bere-installed to provide integration.

Furthermore, if an application is configured to integrate with a secondapplication and that second application is removed, the firstapplication must be able to either reconfigure, or handle the removalprocess. As seen in practice, this is often not the case. The removal ofthe second application can cause the first program to fail or otherwisebehave poorly.

The presence of applications can also be determined at run-time andcause behavior changes to applications. A software application candetect another program by trying to talk to it at known interfaces,looking for its process running on the host, finding one or more of itsapplication windows, or using a broker service such as MTS, CORBA, orDCOM.

Intercommunication

Once applications are configured to interoperate, they must still have ameans in which to intercommunicate. In a normal, single user executionenvironment this is rarely a problem unless something has changed in thehost configuration causing execution to fail. However, in virtualinstallation environments, multi-system environments or in multi-usersystems, intercommunication can fail to work properly without additionalconfiguration.

In the normal operating mode of the Operating System Guard, defaultcommunication endpoints are retargeted to remove the possibility ofconflict with some pre-existing endpoint. Thus, when one applicationattempts to communicate with another, the communication will fail eventhough both applications exist and are configured to know about oneanother. This is a result of a guarantee by the system that eachcommunication endpoint will be retargeted differently. Thus, a systemmust be provided by the Operating System Guard to coordinate the processof retargeting to ensure communication sessions connect and operateproperly.

For multi-user environments, the problem is similar. If a program is tobe used by more than one user on the same host, the communicationendpoints must be mutable on a per user basis, and retargeted the samefor each user. In Microsoft Terminal Services or Citrix MetaFrame,communication endpoints such as semaphores and mutexes are alreadyrewritten to be unique within a terminal session, however multipleinstances of the same program in a single session can still manifestthis problem. Additionally, standard communication such as sockets, COM,named pipes are consistently global to the machine and not muted in anyway, thus causing the problem to occur.

Operating System Integration

Most modern software is designed in some way to integrate with its hostoperating environment. Desktop class software typically provides programshortcuts or other simple means to access the software product. Theseshortcuts enable the operating system to display a user interface forrunning the product. In most cases, server class software providesinterfaces for management and simple startup/shutdown configuration.

In all cases, the host operating system must provide some means toaccess the installed software. Most often, the desktop shell such as theWindows Shell or the UNIX CDE or KDE is used to provide a commonlook-and-feel and integration points for software. It is theresponsibility of the software vendor to install its software in thecorrect means to integrate with these touch points. Some of theseinterfaces are simple for things like shortcuts, others are more complexsuch as context menus that are used when a user right-clicks on themouse.

There are also management interfaces that allow common commands or userinterfaces to be used to manage software and hardware. Things like theMicrosoft Management Console or the Microsoft Windows Installer or theLinux rpm database provide common places to find management informationwithin the operating system.

With the presence of software that can be added or removed, virtuallyinstalled, or otherwise provided on demand, these interfaces must alsobe either dynamic or able to be managed dynamically. The operationalbehavior of the operating system will be made to reflect the nature ofits active applications.

Versioning

The problem of integration and interoperation is further exacerbated bythe existence of more than one version of a software program or itsinterfaces. If two programs can communicate and one of the programs hasmultiple versions, there must be a means to know which version of theprogram to use. Commonly only one version of the program will operatecorrectly with the calling program. In this fashion, a dependency isknown to exist between the two programs. However, if both versions ofthe program work correctly, the dependency must be articulated in such away as to indicate version independence.

Many systems such as the Microsoft COM architecture provide a versionedinterface for programs to intercommunicate. In this system, a programinterface is given a Globally Unique Identifier, GUID, and one or morenames to use to identify itself. In addition, a program can be given aversion independent identifier. This identifier implies that a programcan communicate with it, irrespective of the program's version.

In practice, these types of identifiers are often mistakenly used whenin fact a version dependency exists. Most novice programmers presumethat if they use the version independent identifier, it will alwaysresolve to what they are looking for. This leaves the program that hasbeen built to require always functioning correctly with the most currentversion of the dependent software. If the dependent software haschanged, and is no longer compatible even though the version independentinterface exists, a problem will occur. It is left up to the softwaredistribution system to resolve these mistakes, which often cannot beresolved.

Alternatively, many programs do not have version dependent orindependent interfaces, but nonetheless have version dependencies thatare only understood through testing or common practice. A program whichdrives the user interface of another often expects its Window controlsto be at specific physical locations, or to have specific class names.Another version of the same program might not adhere to theseexpectations. In this case, the driving program can only use the firstversion of the software correctly.

The converse of this problem also exists. If there is a program whichneeds to drive another program or communicate with it, and can only doso using a specific endpoint such as the Window class name, the twoseparate versions of the software to be driven may actually use the sameendpoint. In this case it is required to allow the driving program toconnect to the correct version of the software at the desired endpoint,but still facilitate the operation of the other version of the softwareusing the same endpoint.

Naming

A significant portion of the problem as stated is a basic problem ofunderstanding names. Names come in many forms and can many verydifferent things in different situations or “contexts.”

In a computer system, a named object can be almost anything. A file hasa name: “C:\Windows\notepad.exe”. A registry key:“HKLM\Software\Microsoft\Windows\CurrentVersion\Run”. A named pipe:\\PIPE\ExamplePipe. A font: “Tahoma Bold”. A TCP Port for HTTPcommunications: 80. The name of a table in a database: USERS. Even aglobally unique identifier, GUID, is fundamentally a name for someobject. In practical use, many other objects are named in such a manneras to make their names significant. The title of a news article, theauthor of the news article, or its publisher.

Once an object is named, there is an implicit understanding that tolocate the object one would use the provided name. If two objects havethe same name, some process must be accommodated which resolves theappropriate object in question. If separate applications attempt toutilize a common object, normally the applications will resolve thatsingle object. However, if one application modifies that object, it isoften desired to have that modified object no longer used by the secondapplication. Thus, each application would need to have a method toresolve the different objects using the same name, and a means to trackthe changing objects.

Furthermore, if a named object exists, and that same object existswithin a virtually installed application, the virtual application willwork by resolving its internal object, but there still remains the needto locate the virtual object for programs outside of the virtualenvironment.

Thus, in a network where applications and objects can have variablelifetime, differing meanings over their lifetime, and potentialcollisions, a unified solution is needed to manage the interactions ofthese objects. Systems of the current art, such as the JNDI or UDDI relyon system wide registries of information to provide absolute informationthat does not reflect these characteristics. JNDI queries are able tounite disparate namespaces by creating junction points. However, usersof the system are required to deal with naming collisions solely by notdoing so. In practice this is very difficult as many systems must havecommon but different definitions of objects in order to perform theirwork. The JNDI system provides no means for folding or mergingnamespaces, nor any means for control of versioning or conflictmanagement.

Contexts

The solution to the problems presented above are solved in the presenceof the ability to provide the appropriate configuration, named object orinterface in the context of the scenario at hand. The embodimentsdescribed herein show a system that a) automatically understands theinterdependencies of software programs, b) creates operational contextsin which programs can share and/or modify similar views of their hostoperating environment, c) controls the enabling or properties of thesecontexts, and d) facilitates the intercommunication and interoperationof these programs that would otherwise fail.

The embodiments provide methods in which to operate one or more programsin a host operating environment and couple together the behavior ofmultiple systems in a controlled fashion. In an exemplary system 150shown in FIG. 5, there may exist one or more computing devices. Thesedevices can be single user 155 or multi-user 156 devices, wherein anoperating system and one or more applications will execute. There mayalso exist infrastructure services 158 such as server systems likedatabase servers, file servers, or other line-of-business applicationservers, as well as some infrastructure 157 for managing the network andsystems.

When a software application executes within a network of devices, itwill thus have the ability to interact with other software at severallevels. In a preferred embodiment, the basic levels include: Global,Managed, Local System, System Virtual, Vendor, User, Session, Shared,and Isolated. These levels are shown in FIGS. 6 and 7. These groupingswill be called contexts, corresponding to runtime environments thatapplications execute within augmented to enable policy based control ofcross-environment interaction. Someone skilled in the art will recognizethat other contexts can simply be created, those defined herein aremeant to be examples of application of the invention.

A Global context 201 is the view of the entire system in an embodimentillustrated in FIG. 5. Objects or names that exist within the globalcontext can be seen and shared by all users and all software programs asallowed by security policies. In an alternative embodiment, the Globalcontext could be altered to cover a Corporate context 204 covering allthe machines of a company, a Federated context 206 for sharedcomputations between companies, and a Global 201 or Distributed contextcovering all participating entities.

A Managed context 207 is a wide view of a set of machines, users,resources and/or applications within some scope of management. Thisscope could be the set of systems managed by a distribution system suchas one of the ESD solutions or virtual installation systems 214. It canextend across corporate boundaries within divisions, or if a managementsystem is to be hosted by a service provider 202 such as an ASP, thiscontext can stretch across the provider's customer systems 204 205. Thiscontext exists so that any system which implements the methods of thecurrent invention can interoperate with other management systems, andother instances of itself.

A Local System context 302 provides a view of all operations within aspecific machine 301 or virtual machine (such as a VMWare partition).This is equivalent to the Microsoft Terminal Services “Global” context.Systems in the prior art from Citrix and Microsoft attempted to resolvesome of these contextual issues by subdividing a machine into a Globaland Session specific namespace.

A System Virtual context 310 allows programs such as those delivered byvirtual installation technologies or the Operating System Guard to shareoperations and objects with the local operating system such that theyboth operate within the same namespace. A specific System Virtualcontext encapsulates one or more applications with the operating system.There is no requirement that all applications share in the same way withthe OS.

A Vendor context allows a software vendor to create a scope whichencompasses all operations that exist within a machine but are relatedto systems that use their software or hardware. One example in anembodiment is software that is managed by the system that will coexistwith other software on the same machine. Within the Vendor contextsoftware is grouped based on what is managed and unmanaged.

A User context 211 provides the ability to group operations into thoseoperations done by a user. Note that this context is not limited toexisting on one single machine. This context can stretch across multiplemachines or sessions that are executing operations on this user'sbehalf. This behavior allows a user with more than one session runningin a network to have coordination between the applications that they areexecuting.

A Session context 212 limits the operations to one user's operations onone machine. This correlates to the local user namespace of TerminalServices or to a UNIX telnet/tty session in which a user which is loggedinto a machine will have an identifiable scope.

A Shared context 312, shown in FIG. 7, provides a unique, sharingconfiguration dependent scope that is administratively defined. Thisscope enables two or more programs to share configuration and objects orbe visible to one another. Within a preferred implementation of thissystem, there are multiple shared contexts. Each context contains a nameand a set of policies that define the sharing behavior. In this way,multiple different segments of applications can share overlappingbehavior.

An Isolated context 311, shown in FIG. 7, is the default behavior for avirtually installed application. In this scope, an application iscompletely isolated from all other programs and is in a sense invisible,all normal interfaces and named objects do not exist outside of thecontext.

These example contexts show how the embodiments of the present inventionneed not be explicitly hierarchical in design. Though the OperatingSystem Guard operates as a layer between the operating system andindividual applications and between applications, there is norestriction that applications or contexts be layered hierarchically.This effect can easily be achieved, but the system of the currentinvention is able to couple together 1-to-n environments unrestricted bythe network or system architecture. This allows contexts to becontemplated such as the User context, which as indicated can spanmultiple machines.

Operational Characteristics

The system in an embodiment is designed as a software layer whichintercepts normal communication of programs with the host operatingsystem, with each other, and within the operating system. In analternate embodiment, the system is implemented as a code library forcompilation into a program specifically enabled to take advantage of thefunctions of this system. Each individual application request can thenbe evaluated within its particular operational context. The system willlook at all types of requests such as file system requests, registryrequests, shared objects, fonts, code libraries, and others. Theserequests are typically for but not limited to configuration items, namedobjects or communication interfaces, which will be uniformly calledresources. Resources have variable lifetime and may or may not bepersisted beyond the duration of their use.

In the system illustrated in FIG. 8, there are shown two applicationsutilizing the resources of each other and the operating system. Thereare three different scenarios shown. One in which a program, ApplicationA 402, attempts to use resources which are configured for use only byitself, Resource Set 1 404. Another scenario whereby Application A 402attempts to use resources configured for another program, Resource Set 3406 configured for Application B 403. And finally one in which bothprograms attempt to access shared resources, Resource Set 2 405, thatmay be configured for access by each program. Note that this diagram isfunctionally equivalent to the diagram in U.S. patent application Ser.No. 09/859,209 “Operating System Protection and Abstraction Layer”, butis shown to clarify the process.

This diagram shows a basic premise of the system, whereby one or moreresources can be configured to be private to an application, or thoseresources can be shared. Sharing can be done as a body of resourcesavailable to one or more programs, such as a set of shared libraries. Itcan also be performed so as to allow one program to share its resourceswith another. Conversely, privacy ensures that resources of one programare not available to another. In all cases, the intermediary layer isresponsible for allowing or disallowing shared operations, or otherwisevectoring the operation to an alternate context.

In an embodiment of the current invention, the resources in each set 404405 406 are stored in separate namespace container objects. Theseobjects enable separable storage for combinations of namespace types andcontexts. An example of a namespace container is a file system containerfor a user's personal settings (the User context) for Microsoft Office.These containers allow storage of resources to be done in a localizedand independent fashion, appropriate for each combination, but thendynamically put into the correct namespace by the functions of thecurrent system. Resources can be persisted in a namespace container, orsimply metadata required to recreate the appropriate resource or namedobject.

One can appreciate that many forms of storage, data structures, etc. canbe utilized to achieve this functionality or an equivalent. For example,a namespace container can be a single file containing all of the dataand metadata associated with the resource set stored in a local ornetwork file system. In another example embodiment, a namespacecontainer can be a proxy object forwarding requests to underlying orremote systems.

In the system of the current invention, there are three basic models ofinteroperation. The Producer/Consumer model, in which one applicationcan be providing resource services to another. The characteristics ofthis model are one way associations where one or more programs can bedependent on another for providing resources or services without areciprocal need. In this model, a consumer will be restricted in accessto the necessary integration points of the producer. Thus, theenvironment and namespace containers of the producer will not begenerally accessible to the consumer, but instead only configuredresources or programmatic interfaces will be allowed. An example of thismodel is the common use of programs such as Microsoft Office forfunctionality such as the use of Microsoft Excel by Great Plains inorder to generate spreadsheets from the accounting data it holds. Exceland Great Plains are useful and functional as independent programs, buttogether can add this functionality. Great Plains simply needs toprogrammatically drive Excel, not needing any access to the internalconfiguration or state of Excel itself.

The second model is a Peer model where one or more programs are able tocooperatively share resources. In this model, sharing is allowed, butmodification is tightly and specifically controlled as defined bypolicy. The environments and resources of the peers will appear toco-exist as one set in a single namespace, but will be handledseparately according to the policies defined herein. An example of thismodel is the shared database driver or Microsoft Office plug-in. Adatabase driver is commonly used by many programs on a machine. In orderto function properly these other programs must have access toinformation concerning the configuration of the driver.

Finally, the system supports a non-interoperation mode where there is nosharing, the default case when no dependencies or contexts have beendefined. Alternately, as shown above, an Isolated context can be createdwhich correlates to this mode.

As the primary program in FIG. 8, Application A 402, is operating, itwill make requests for resources. Each of the application requests isevaluated by the software core to determine its relevant context andavailable scopes. This core is shown in detail in FIG. 9. When a request510 is received, the Context Manager 503 requests its source to beidentified by the Process Manager 504.

The Process Manager 504 is responsible for keeping a view of theprocesses running on its host, and operations taken by those processes505. This view correlates to a process tree of parent and childprocesses and threads. This allows the system to establish a baseunderstanding of which resource pool is the default for a particularprocess or thread in operation.

The source resolution phase is an important step, as many requests willappear to come from the operating system, when in reality they weresourced by an application. An example of this is a file system call. Awrite request to a file may be delayed by the operating system, butfulfilled to an application program. Later, when the operating systemflushes the write to disk, the request will come from the operatingsystem itself. For context management to work properly, this requestmust be tied back to its originating program. Another exemplary case isshown where a program does things on behalf of another such as theMicrosoft Windows Application Management service. In this case, aprogram will request that the Windows Application Management serviceperform some installation task such as registering its components withthe host system. A system which looks only at the process owner of aparticular request would determine that this activity were part ofeither the operating system itself, or tie it to the ApplicationManagement Service. However, the desired result is that the actions aretied to the program which requested the services to be performed.

In an exemplary implementation of an embodiment of the invention, commoninterfaces and communication pathways of an operating environment areinstrumented. These instrumentation interfaces are used to captureinformation that is useful for identifying source contexts. As describedabove, the request interface for the Windows Application Managementservice is instrumented to identify the calling program of aninstallation request. The contents of this API call is sent to theProcess Manager 504 to store for future use. During the valid lifetimeof this API call, the Process Manager 504 can keep this information in atable and use it as a means to lookup the owner of a request.

A request is transmitted through the system as a Request object 510. Asstated above this object contains attributes associated with the APIcall that originated it. Additionally, a Request contains, for example,data about its subsystem, request type (eg. create, query, delete),target, and parent request. In an embodiment, Request objects areimplemented as object oriented classes correlating to eachcategory/subsystem of request. This allows each subsystem 511 to storerequest-specific information without affecting the interfaces of otherparts of the invention.

When a resolution quest is received, the Process Manager 504 searchesits tree of processes, threads, and actions to find a candidate source.This process table 505 is shown in FIG. 10, containing a list of processidentifiers (PIDs), thread identifiers (TIDs) and state or action objectpointers (SPtrs). Each entry is a process object that can be a parent ofone or more process objects. The parent-child relationship mirrors thatof the host operating system. Each process object 603 contains pointersto state objects 604 that hold references to past actions if necessary.In the preferred embodiment, each action can consist of an operation,the operations data, and the source process identifier that requestedthe operation. In practice other data is stored, such as, for example,the result of the operation, success or failure and its result code,timing or lifetime information concerning the operation, and securitycredentials for the operation.

If a process or thread is associated with an action, the process list issearched to identify if the action matches the current request. In theprevious example of the Windows Application Management service, the APIcall by originating program would cause a state object to be createdunderneath the Windows Application Management service process object.This state object would identify that the originating program was thesource of the requested action. When the Application Management serviceattempts to fulfill the API request by taking an action such as creatingor modifying a file, the Process Manager would find the state objectassociated with the call under the process object of the WindowsApplication Management service, but would return that file is actuallybeing created by the originating program using the service.

Once a request source is understood, the Process Manager 504 will returnthe process and thread id of the request owner, and its true sourcethough these may be the same, to the Context Manager 503 where it ismatched to its one or more contexts. In one embodiment, the ContextManager 503 contains a table of the available contexts of the system, aswell as the associations between contexts, as shown in FIG. 11. Acontext will contain a basic identifier (CID) along with its contexttype (CType). The context itself then requires a pointer (PoPtr) to oneor more policy objects 705 which enable or disable functionalinterrelation. A policy object will contain its own identifier and amatch mnemonic for identifying the machine subsystem(s) as well asrequest correlation parameters and rules for applying the operations,such as the source namespace container for a resource and transformationoperation for the named object. An example policy is any modification,for example, write, delete, etc., to a file that matches, for example, aMicrosoft Word file type, (*.doc) that should be made to the localsystem namespace container. One skilled in the art will recognize thatthis policy can be codified in various forms.

This table can be built statically and/or dynamically as applicationsare used in the system and can be done using any technique such as ahashtable, list or otherwise. When an application is started, this tablecan be loaded to indicate all of the application's associated programs,namespace containers and contextual relationships. The embodiments ofthe system of the invention also allow the Context Manager 503 to queryexternally, through a management interface, to load new contexts orrespond to changes in system configuration. Thus, if an application isadded that is a peer to a running program, its contextual informationcan be loaded into the live system. Additionally, a Context Manager 503can notify the external management system through this interface of itsrunning or loaded contexts, so that these can be shared with othermachines. One skilled in the art will appreciate that this also can bedone directly with another machine.

The Context Manager will feed a candidate list of contexts to the PolicyEngine 506. Policies for each context are applied in addition to user,machine or system specific policies to determine the need to resolve therequest within a particular context, and to enforce security. Thisprocess quickly limits the number of candidate contexts to evaluate arequest within. The Policy Engine 506 will be described in more detailin the following section.

The request is then evaluated one or more times within each context bythe relevant resource management subsystem, whether file system,registry or otherwise. The results of each request can then be analysedby the Context Manager and a net result returned to the calling process.The Context Manager is able to map the request into the appropriatesubsystem through its environment table, where it tracks virtualapplications and objects or applications that are being managed, but arefully installed or configured on its host.

In practice there are several classes of operations that need to bemanaged in this fashion: read, write, query/lookup, create,rename/modify, enumerate and delete. In the preferred embodiment manyother operations are handled, it is simpler to describe the basic systemmodel without the particulars of all handled operations. By handlingeach class of operation separately, the system enables policies to beauthored which allow read access to resources, but can deny or vectorwrite access to alternate resources, namespace containers or otherwise.

In a read operation, the system has many options to fulfill the readrequest. If the read is for a file, this file may exist within one ormore contexts. It is up to the Context Manager to determine what toevaluate. One skilled in the art will appreciate that this can beaccommodated in several ways. The request can be made in all of thecontexts, then determination of which response to utilize or how tocombine the responses can be done according to its rules. The requestcan be filtered by the available contexts and determined which contexttakes precedence and only make the request within that context. Or as anexample, the request can be evaluated within each context successivelyuntil some success criteria is met. In the case of the read operation,success may be indicated by the ability of the context to support datafor the read operation.

The Context Manager is also able to cache the results of its resolutionprocessing in order to make common requests which follow a pattern notneed an entire resolution phase. Additionally, the Context Manager isable to distribute queries through hashing of contexts. This hashingprocess allows the system to quickly consult its table and query othertables, without performing a full operational query.

The importance of the context approach is seen where the file in theexample above may be read from the context of one application program,but when it is written to, the actual write operation occurs within thecontext of another. This behavior of the system is what can allow twosystems to interoperate with one another, but still remain isolated orindependent of one another. As described by the Operating System Guardspecification, a file which is part of the operating system can beviewed within the context of a running program, but if the programattempts to modify the file, that modification can be kept within theprograms context and not filtered through to the operating system.

The same is true of rename and deletion operations. A file that isdeleted in one context may be necessary for another. Thus, the system ofthe present invention holds not only existence information andconfiguration, but also, for example, tracking information on deletionand renaming.

The querying process is most straightforward. As with the readoperation, it can be fulfilled in a layered fashion, through groupprecedence, or any means the system chooses. However, the purpose of theoperation is to validate the existence of or return a handle to a namedobject within the correct context. The system of the current inventionapplies the contextual policies to determine what is the correct object,whether it is visible in the current context, and how to manage itsscope internally.

In an embodiment of this invention, the system is also able to handlecontextual enumeration and interleaved queries. Many data structures orresources within an operating system or its applications are accessed bytraversing a tree structure or asking the system for a list of contentsof some resource. In practice, these operations require the interleavingof contexts and resources. As an example, an application can have aresource associated with it. However, this resource is only valid ifanother program is associated with itself and active.

As shown in FIG. 12, a resource may be attached to a resource tree ofanother program. So, during query for this resource, the system must beable to interleave the namespaces of the two separate configurations.But, if policy does not allow the union operation, neither direct accessto the named object, nor enumeration to it will occur. In the exampleshown in the figure, an application, Application A, is configured withthree items representing Windows Registry key objects. The objectHKLM\Software\Drawing Vendor\Photo Editor\Plugins\PinheadSoftware\Inline Plugins\Snapshot 805 will only exist if the secondapplication, Application B, is configured within a context shared withApplication A.

This is even though the object actually exists in Application A. If theitem “Pinhead Software” 802 does not exist in the context of ApplicationA, then it can be stranded. The system is designed to fail enumerationto this resource, since there will be no path to follow to it, and tofail direct access to it as well, both unless the secondary applicationexists. Furthermore, if Application B is instantiated alone, then itsresources that are subjunct to the other 802 803 will fail to exist forthe same reason.

Namespace Management

In its most basic form, a context is a separate namespace for exposingresources of an application, and a method for persisting operations madeon these items. A namespace is a domain or scope within which to map aunique name to some identifiable resource. The Operating System Guardlayer is an intermediary that creates and manages this alternatenamespace. Applications are unaware of the intermediary. They simplycreate objects with a given name and expect to be able to reference themat a later time with the same name. The layer manages multiplenamespaces, but enables them to appear to be a single namespace to theapplication executing or the rest of the system. In this way, a singleresource presented to operating network 150 can actually be backed bymultiple resources from various different namespaces.

By default, the intermediary layer creates an Isolated context by whicheach program instance that loads has a private namespace. As theapplication creates and uses resources, the object name will belocalized to only exist within the specific application instance. Thisis typically done by ensuring the object only actually exists within theprogram's scope, but can also be done by hashing the object name withina larger namespace and being able to retrieve it through a reverseprocess. In this manner, another program is not able to request objectsthat do not exist within its namespace, without reverse engineering thefunctions of the intermediary.

The name that an application uses to reference an object will bereferred to as the common name. Two separate applications on a systemcould use the same common name, but refer to different objects. Theintermediary is responsible for creating an instance specific name thatcorresponds to the correct object. This is called the local name. Foreach local name, there is an additional absolute name which is uniqueacross the entire system. Every reference to an object using itsabsolute name references the same object.

Common names are specified by the application. Local names are generateddynamically by the intermediary at runtime by evaluating the common namewithin its context. The system does not need to generate an absolutename, but may choose to based on the dependencies of the program and itscontextual relationships. The application is never informed of theabsolute name. It is up to the intermediary to map the local name to theabsolute name, as well as the correct common name to local name and viceversa.

In the presence of contexts, two applications in the same context willbe able to reference the same object if they use the same common name tocreate and access the object. It is the responsibility of theintermediary to connect the object requests. There are several methodsof connecting these requests. In the preferred embodiment, theintermediary layer often will choose to hash object names in the samecontext in the same way. Certain other operations can be fulfilledsimply by redirecting the request to an object of a different name. Forapplications in loosely connected contexts, the functions used by thesystem allow it to utilize a fast searching method to locate the objectand make an association between the objects. In the preferredembodiment, a distributed lookup with local result caching is used inorder to quickly resolve names.

In an example of the system, a program can attempt to utilize a resourcewhich is available in three locations. First, it is available in theprogram's primary configuration, as well as a secondary dependentconfiguration. It is also available as part of the operating system. Inour example, we will choose a file MSCOMCTL.OCX. Normally, this resourcehas a common name of C:\Windows\System32\MSCOMCTL.OCX. Using theOperating System Guard, the intermediary layer allows this name to existin all three configurations. To all configurations, the object's commonname is the same.

The intermediary layer allows the program in question to have a copy ofan object with the same name. Additionally, the secondary configurationcan have an object with a different name, but in its configurationspecify a virtualization command that tells the system that the object'scommon name is C:\Windows\System32\MSCOMCTL.OCX. This allows theOperating System Guard to store objects in different namespaces orstorage locations than they are actually used within, mapping thesenamespaces at runtime to surface its behaviors.

In this example, all three objects have the same common name. Thecontext resolution process will choose which object takes actualprecedence. Then, the system will generate or use a properly localizedname. In this case, the system would be able to choose the object in theprimary configuration, and choose to map the local name within thecontext of that program instance.

As the scope of a context gets larger and broader, the system is alsoable to provide a Namespace Manager 508 function to create, query andretrieve namespace mappings. As a program normally attempts to utilize aresource with a common name, the manager is able to query its list ofother programs using a resource with this common name. This can then beused by the Context Manager if any of the additional programs share acontext. If so, a mapping can be made to ensure the sharing programs usethe same resource. This can be done by enforcing the use of the samelocal name, or by use of a system absolute name. This is particularlyuseful for contexts which extend beyond machine boundaries.

Note that this operation can result in the side effect of the Loader 509retrieving a namespace container and loading the metadata of theresources contained therein. As the resources may have variablelifetime, the Namespace Manager 508 implements resource managementoperations including reference counting/tracking, loading andfinalization of containers, and in some cases speculativevirtualization.

Speculative virtualization is a process used during operations such asread and write operations to a file, registry key, or other resource.When a resource is opened or queried, the system may presume that theresource will later be altered and can execute the additional policy todetermine what a further operation such as a write may effect in thesystem. The system may then execute ahead of time or in the backgroundthese operations to avoid further cost or latency if they are actuallyperformed. As with all speculative operations, the system must be ableto undo the action if the subsequent operation was not performed. In anembodiment of the current invention, the system uses speculativevirtualization to assist in avoiding what can be a high cost ofcopy-on-write operations. When a file is changed, a copy-on-writesemantic can incur high cost if the file is large, remote or both. Thisprocedure allows the copy-on-write action to preceed early, in thebackground, to avoid the runtime cost of the operation.

This Namespace Manager can also operate within the management layer of asystem and be the same actual manager that operates within an OperatingSystem Guard, but be configured to answer system-wide queries. Or it canalternatively be a dedicated purpose application. This managementfunction serves to provide a repository of configured absolute names,and map those to large scale contexts.

This Namespace Manager can also manage the time evolution of nameswithin each namespace. This can be used to ensure that a specific objectname is hashed the same way each time, even if the standard algorithmfor hashing may include a time variable. By doing this, one can providetime-sensitive context or semantics to operations. Additionally, thiscan be done by storing usage and mapping information within the system.

If an object is requested by a program at one interface in the past, anda new interface of the same name is available, this time-sensitivebehavior can ensure that system maps to the old interface. This is doneas a default in this system. If it is desired to map to the newinterface, one is able to declaratively assert use of the new version.In the presence of a software system with multiple versions, and asystem such as that being considered herein, one is able to ensure thecreation and use of resources in exactly that manner configured to do soby the author or manager of the software system.

As a relevant example, many systems use distributed function calls suchas DCOM or CORBA, or even HTTP RPCs. Two programs can be configured tobe dependent on each other, allowing communication to occur. The commonname used to connect the programs contains an address and an interface.In the case of DCOM, there is a machine that hosts the distributed queryand its COM UID for advertising its interface. The host may have itscommon name already mapped to a local name. As the remote programattempts to address the host and UID, the system can map both theaddress and UID to correspond to that local name, or it can activate analternative host to ensure the proper version of the interface isprovided. As indicated above, the mapping of common name used by theremote program to the local name used by the host can be done internallyby the system either by looking up the resource's absolute name withinthe Namespace Manager, or by querying the Namespace Manager of the hostsystem for its common to local name mapping. If a secondary version ofthe interface exists, the Namespace Manager is able to respond with analternate mapping reflecting the appropriate version for the remoteactivation.

Context Policy

It was noted above that a suitable mechanism is required to manage thecases wherein operations can span multiple contexts. The nature of theseinteroperations can cause naming collisions, present cases when it isnecessary to decide order of precedence, or situations for resolvingeffect of change operations. Orthogonal to the existence of the contextsdefined above, is the ability of the system administrator, or in caseswhere desired end-users or software vendors, to establish policies forcontrolling operations. It is desirable to provide the ability for bothmacro and micro adjustment of context to enable rapid configuration, butfine-grained control.

An embodiment of the system of the present invention provides a means todescribe the interdependencies of applications and operating systemsthrough XML based configuration files. It should be appreciated by oneskilled in the art that this process can be accommodated in many ways,only one is described here.

In the system of FIG. 8, Application A has a configuration file a.config408 while Application B has a configuration file of b.config 409, and ashared resource set described in c.config 410. In order to establish aninterdependency between the programs a <CONTEXT> command is placed inthe a.config 408 file indicating that the two programs should coexistwithin a shared context. In this example, the context is a Sharedcontext with a name of EXAMPLE and a context scope of Peer.

In the system, this tag is not required in both programs descriptions inorder for it to be used. It is only required that for it to beevaluated, it must have relevance within a particular security domain.Thus, a program which can share with another will not establish acontext unless a user has rights to both of the programs.

Further, a system can be provided which assists the understanding andevaluation of contexts. As an example, if a Managed context is desired,it is required by the system to understand which systems participate inthe context. This can either be evaluated by each member of the context,or globally by a system-wide service and provided to each machine whenevaluating this context. This was described earlier as part of theContext Manager system and its management interfaces. The system of thecurrent invention facilitates this behavior by allowing policy files tobe created which describe contextual relations separate from thedescription of the software packages.

Policy files can be used to create default behaviors of the system, orto establish basic contexts for use by the system. At any time, thesystem can load or reload a policy into its policy engine for use by itssubsystems. Additional modifiers and variables can be applied that allowthe policy to only be applied to specific users, groups, machines orother relevant configurations. One could appreciate that any number ofvariations can be applied to this technique to control the applicationof these policies, but the basic control is to decide whether or not thecontext is to be applied and what are its runtime behaviors. A policycan also be digitally signed to ensure its integrity throughout thesystem, and avoid users authoring policies to alter contextual behavior.

At an individual configuration item level, the system is also able tospecify that only a particular resource is exposed to contextualcontrol. This utility is extremely useful where two programs need tocommunicate and only need to be able to connect their communicationinterface, but not need to understand any configuration detail. Also,this is useful for corralling the abilities of one program to modifyanother to a small subset of the overall configuration. In the currentexample, the shared resource set has declared in c.config that a Sessioncontext exists for which it serves as a host for a resource\\pipe\testresource. Any application running in the same session as thisresource set can utilize this named resource as well as see its otherconfiguration data at HKLM\Software\Test\Value. In an embodiment of thesystem, if any specific resources are named, then only those resourcesare shared. Otherwise, with nothing specified all resources are impliedto be shared in accordance with the context directives.

Policy directives are also useful for defining the results of classes ofoperations. One simple example of this type of directive would be apolicy that declares any modification to the Windows Registry should gointo the user's personal settings namespace container. These types ofpolicies allow cross-cutting definitions which apply not only tospecific applications but multiple contexts and multiple namespaces andcontainers.

A modifier is also allowed to all context configurations which alloweach specification to be read-only or read-write. The default behavioris context specific. Additionally, in the case of allowing writes to acontext aware association, it is important to identify which context thewrite will occur within. This is discussed in more detail later.However, the configuration file can override the system's normalbehavior to specify a particular target.

Another modifier provided by the system of the current invention is theability to override the order of precedence of the established contexts.Any specific relationship can determined to be between peers. In thiscase it may be natural for the owner of a piece of information to beresponsible for its lifetime. However, it may be desired that theprogram that did the modification only see the modification withinitself. If the two programs were within a Shared context, themodification would not have persisted in this fashion. A modifier canforce this alternate behavior.

Determining and Controlling Contexts

In order for the system to be practicable, it must provide someautomated means of determining the best behavior. By default, theOperating System Guard configures programs to exist in Isolatedcontexts, unless they are explicitly packaged to be within the samecontext. All programs packaged under the same application environmentwill share that one context. It is desired, however, to automate furtherthe creation of interoperable contexts as described earlier. The systemof the current invention provides several means to detect and configurethese contexts and the policies for controlling behavior.

During installation of an application, the system enables theinstallation to directly configure its target context. In the case ofvirtual installation software or the Operating System Guard, this is theIsolated context for the specific program. A new configurationenvironment would be created specifically for the application or set ofapplications that are installed. By indicating to the system the desireto augment an existing configuration, such as executing an installationprogram within the context of the pre-existing application, aninstallation could occur within an environment in an additive fashion.

For software that is distributed and installed in a standard means suchas through an ESD system, the software would normally be installed intothe Local System context. Contrary to the system of the Operating SystemGuard, normally application level software and the operating systemexist at the same locations within a machine. In the system of thepreferred embodiment, the software could be configured to be installedinto a separate context selected at installation time. This wouldnormally be one of the Vendor, User or Session contexts depending on thedesired behavior, but could be any of the available contexts. As anexample, all software from the vendor Microsoft could be installedwithin a context for Microsoft applications.

Using this method, the system can redirect installed objects toalternate storage locations and create common names to map at runtime.This allows applications to be installed on a machine without damage tothe machine or its implied object namespace. The system can also enableinstallation of software to a retargeted system, virtual machine,simulation environment, or the destination host in order to create aconfiguration prior to actual installation on a target machine. Thisallows a virtual environment to be created on-the-fly, not required an apriori step of preparing software for virtual installation.

As described in the prior application, once the installation iscomplete, the Operating System Guard will download its configuration.During this download, the configuration can be analyzed for certainpatterns. These patterns are used to instrument the programs as well asabstract the program from common naming problems. As an example, manyprograms “personalize” themselves as they are installed and writeinformation about the installing user or the machine in which theprogram was run on into its configuration. This system removes thoselocal names and replaces them with common names. Or, if the programduring its installation created an ODBC DSN, it would be known by thesystem to create a dependency on the appropriate version of the ODBCsubsystem.

These patterns can also be enabled live during the installation. Thepatterns can be application specific templates, or generalrules-of-thumb. An example would be a program that installs intoMicrosoft Office would search for theHKEY_LOCAL_MACHINE\Software\Microsoft\Office registry key. A systemimplementing these methods could provide internal rules to implementthese templates, or a configurable set of installable templates.

In an embodiment of the system, a program that is searching forMicrosoft Office would query for the above named registry key. Duringthat query, if the Microsoft Office software is installed on the localmachine, a dependency could be created within the new software packageto ensure that Office is present for the program to function, and acontext created to ensure that the programs are visible to one anotheron a local machine. If the Microsoft Office software were part of avirtual installation package, the system would find this registry keywithin its Namespace Manager and find a list of contexts the newsoftware package may need to interoperate with. It would then be able tocreate a dependency on the virtual package and create a shared contextfor interoperation.

In an embodiment of the system, the available software packages arestored in one or more repositories. The configuration and contextinformation is readily queried by the Context Manager of the system. Atthe time a request is made, that request can be matched against theentire repository for candidate contexts and dependencies. In the caseof the Microsoft Office example, the system would not need a template,but instead would resolve the query for Microsoft Office as coming froman application within the repository. The system would then be able toinstantiate the Office application and its configuration and create thecontext and dependencies for the program being installed.

By default, the system attempts to be as restrictive as possible,configuring the least open or shared context as possible with only thoseresources that are required for sharing. An interface is provided toalter the context policy and configuration, as well as quickly eliminatethe resource level commands and set package wide sharing, or change thecontext.

In view of the wide variety of embodiments to which the principles ofthe present invention can be applied, it should be understood that theillustrated embodiments are exemplary only, and should not be taken aslimiting the scope of the present invention. For example, the steps ofthe flow diagrams may be taken in sequences other than those described,and more or fewer elements may be used in the diagrams. While variouselements of the embodiments have been described as being implemented insoftware, other embodiments in hardware of firmware implementations mayalternatively be used, and vice-versa.

It will be apparent to those of ordinary skill in the art that methodsinvolved in the systems and methods for controlling inter-applicationassociation through contextual policy control may be embodied in acomputer program product that includes a computer usable medium. Forexample, such a computer usable medium can include a readable memorydevice, such as, a hard drive device, a CD-ROM, a DVD-ROM, or a computerdiskette, having computer readable program code segments stored thereon.The computer readable medium can also include a communications ortransmission medium, such as, a bus or a communications link, eitheroptical, wired, or wireless having program code segments carried thereonas digital or analog data signals.

Other aspects, modifications, and embodiments are within the scope ofthe following claims.

What is claimed:
 1. A system in which resources can be configured to beprivate to a software application or shared among multiple softwareapplications, comprising: an operating system (OS); a first softwareapplication (402) and a second software applications (403); first,second, and third resource sets (404, 405, 406), wherein each resourceset includes one or more resources, wherein the resources in each of theresource sets are stored in separate namespace container objects; and anOS guard (100, 401) for controlling the interoperation of the softwareapplications and resources, the OS guard comprising a core (102) formanaging applications and their context, a process manager (120)configured to inform the core of process events, and a virtualenvironment manager including a plurality of virtualization subsystems;wherein the system is configured to operate in the following modes: (a)a first mode in which the first application (402) is able to use a firstresource set (404) configured for use only by the first application; (b)a second mode in which the first application (402) is able to read asecond resource set (406) configured for the second application (403);and (c) a third mode in which both the first and second applications areable to read from and write to a third, shared resource set (405)configured for access by both the first and second applications.
 2. Thesystem of claim 1, wherein the container objects are further configuredto allow storage of resources to be done in a localized and independentfashion, appropriate for each combination, and to be dynamically putinto the correct namespace.
 3. The system of claim 2, wherein theresources can be persisted in a namespace container or in metadatarequired to recreate the appropriate resource or named object.
 4. Thesystem of claim 1, wherein the OS guard is configured to be employedwith an operating system that includes an underlying system registry,and wherein the OS guard is further configured to provide a virtualregistry to the applications but prevent modification to the underlyingsystem registry.
 5. The system of claim 4, wherein the plurality ofsoftware applications are configured to access keys from the underlyingsystem registry by issuing a query, and wherein OS guard is configuredto respond to the query with the key and its value if known by the OSguard, or to pass the query to underlying system registry if not knownby the OS guard; and wherein, if an attempt is made to modify the valueof the key by a requesting application, the OS Guard is configured toallow the modification to occur to itself only.
 6. The system of claim5, wherein the keys that the OS guard uses are specified in threesections, including as commands to modify an existing key, delete thepresence of a key, or add a new key to the virtual registry.
 7. Thesystem of claim 6, wherein the OS guard is further configured to load afirst data file containing basic registry entries for each application,a second data file containing user preferences, and a third data filecontaining keys that include policy items a user is not allowed tooverride; wherein the first, second, and third data files are loaded ontop of each other with duplicate items in each file overriding items inthe file before it.
 8. The system of claim 1, wherein the processmanager is further configured to provide an abstraction layer formanaging a process space and handling thread processing.
 9. The systemof claim 8, wherein the process manager is further configured to groupprocesses together into application bundles (applications), such that anapplication bundle comprises a group of processes that share virtualresources with each other.
 10. The system of claim 1, further comprisinga loader (116) configured to allow virtual environments to betransferred into and out of a running system.
 11. The system of claim10, wherein each of the virtualization subsystems is configured toserialize its configuration for the loader, and wherein the loader isconfigured for staged loading/unloading and combining results ofindividual stages into a single environment description.
 12. The systemof claim 1, wherein the plurality of virtualization subsystems include aconfiguration manager (104); a file manager (106); a shared objectmanager (108); and a device manager (110).